Cloud computing e-discovery risks a concern

CAMBRIDGE, Md.-- Federal lawyers and record managers are watching closely how the General Services Administration, the Agriculture Department and others move their email and collaboration services to private sector cloud computing providers.

Some at the Justice Department and the National Archives and Records Administration aren't worried so much about cybersecurity or bid protests, but more about the data.

When the government faces a lawsuit, will the agency be able to find and provide the information the lawyers or the court requires? Will the agency have access to their data and all the meta data that surrounds emails or other documents stored in the third-party cloud?

"It really is a unique moment in history where the agencies have the opportunity to proactively build into the cloud services they will be acquisitioning these efficiencies for potential litigation with making sure that any of the cloud services they will be procuring do build in to e-discovery considerations such as how a litigation hold will be implemented on their data on the cloud, how they will be able to search and collect information in the cloud and provide it to the litigators in the various cases they may be involved in," said Allison Stanton, DoJ's director of E-Discovery. "It's really a unique opportunity to go even the next step further of helping avoid costs that will be down the road in how to collect, preserve and provide the information."

The issue of e-discovery is a growing concern among federal lawyers because of the cost in terms of dollars and in employee hours sorting through the overflowing amounts of digital information.

"When it comes to data retention, cloud service providers are subject to the laws of the jurisdiction," Stanton said during her presentation at the Federal Senior Management Conference. "For instance, the European Union will not export data stored in a EU country to another country whose privacy laws aren't similar. And the U.S. doesn't fit into that area."

The idea of jurisdiction is a big deal around cloud service providers. GSA and its contractor, Unisys, came under criticism last year when it wouldn't respond to questions about where the agency's data would be stored in Google's cloud.

GSA and Unisys only would say it's secure and policy dictates they do not comment on the location of the cloud.

GSA hired Unisys last December to implement the Google e-mail system for the agency under a $6.7 million contract.

"We do know there is case law out there where there sometimes is a difficulty in getting information out of jurisdictions because their laws are not the same as the U.S.," Stanton said. "It's up to the individual agencies to be conscious where their information is and what, if any, legal ramifications there would be to collecting their information or accessing their information if another jurisdiction's laws do apply to where their information is stored."

She added that the cost to get the information could increase significantly, and that doesn't include the expensive process just to sort through the mounds of existing data. She estimates that one terabyte of data costs about $1 million in litigation costs to do discovery.

Part of the way agencies could keep costs down is not to use cloud storage as a junk drawer. Stanton said with the cost of data storage so little, it's easy to just put everything in the cloud. She said it's important for agencies to follow data retention and disposal standards.

She said agencies also need to think through these issues before going through the procurement with lawyers, acquisition officials, privacy officers, technology folks and Freedom of Information Act experts.

"It's important for agencies when they have all those stakeholders at the table to say 'what type of data do we have? Where should it be located? What do we need to make sure it will be accessible to us?'" she said. "And be cognizant of some of the complications that can arise in getting information out of jurisdictions that we do know have more rigorous standards on certain types of data."

Stanton said there is no official Justice Department guidance on these issues.

She does recommend agencies include some basic language in their contracts around:

Termination of services

Privacy and security of data

Retention procedures

Audits of the third party systems that stores the data

The process for litigation holds

Details of whether the prime subcontracts the data storage

Jason Baron, director of litigation at in NARA's Office of General Counsel, said the agency has sent information to GSA and others requesting that all request for proposals for cloud services include standard language requiring third parties to comply with the Federal Records Act.

The Chief Information Officer's Council also issued privacy guidance around cloud computing in August, which highlighted the importance of e-discovery.

Stanton said two areas where agencies and Justice will face this challenge of information access-bid protests and run-of-the-mill lawsuits.

"One of reasons why we are being proactive in trying to help and partner with agencies so they think about how that procurement process is working," she said.